HIPAA Compliance and SurveyMonkey

Is SurveyMonkey compliant with HIPAA?

SurveyMonkey enables covered entities to collect protected health information (PHI) in online surveys in a way that permits compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — a United States law. As a business associate to covered entities, SurveyMonkey has adopted measures to ensure that it remains in compliance with HIPAA and any business associate agreements it enters into. SurveyMonkey allows its users to collect PHI in surveys if they have a HIPAA-enabled account and a business associate agreement in place.

What does it mean to be "HIPAA compliant"?

For SurveyMonkey, being "HIPAA Compliant" means that we offer a service that enables covered entities to collect and manage PHI through surveys in a manner compliant with HIPAA. As part of offering this service, SurveyMonkey ensures that it operates in a way that is consistent and compatible with those laws and SurveyMonkey's role as a business associate to a covered entity user.

What is a HIPAA-enabled account? How do I get a HIPAA-enabled account? How do I enter into a BAA with SurveyMonkey?

A HIPAA-enabled account is an account which SurveyMonkey permits to collect PHI. In accordance with our Terms of Use, users may only collect PHI if they have a HIPAA-enabled accounts. HIPAA-enabled accounts also possess additional features which are geared towards assisting covered entities to comply with HIPAA.

HIPAA-enabled accounts are available at no extra charge as an optional add-on to a PLATINUM plan or Enterprise subscription. If you have a PLATINUM plan or Enterprise subscription, you may HIPAA-enable your account by entering into a business associate agreement (BAA) with SurveyMonkey.

For step-by-step instructions, see this article: Enabling HIPAA-Compliant Features on Your Account

Please note:

  • SurveyMonkey account holders must ensure that the BAA is only accepted by someone authorized to enter into a BAA from their organization. This may mean that the “name” field in the BAA acceptance form may need to be the name of someone other than the account holder.
  • SurveyMonkey's Terms of Use prohibit the collection of PHI without a BAA in place.
  • HIPAA-enabling your account is a one-way street. Once an account is HIPAA-enabled, it cannot be reverted to a non-HIPAA account. If the BAA is terminated, your account will also need to be closed.

Can I purchase multiple HIPAA-enabled accounts for my organization through SurveyMonkey Enterprise?

Yes! The Primary Admin of an Enterprise group can enter into a BAA on the My Group page. One BAA covers an entire Enterprise HIPAA Group, and all group members are able to view a copy of that BAA through their account’s “My Account” page. Learn more: Enterprise HIPAA Groups

Will SurveyMonkey enter into our business associate agreement?

Covered entities are required by HIPAA to have a written contact in place with each of their business associates that meets the applicable requirements under HIPAA.

SurveyMonkey offers a standard form BAA which meets the requirements of HIPAA and lets covered entities enter into it online via a convenient clickthrough mechanism. When a covered entity accepts the BAA, the name and title of the individual signing on behalf of the entity is recorded, along with the date of acceptance. A copy of the BAA is then made available for download or future reference through the My Account page. Upon acceptance of the BAA, an account will be converted into a HIPAA-enabled account.

We acknowledge that some covered entities have certain items they need to include in BAAs with their business associates. Due to the fact that we offer HIPAA-enabled accounts at no additional cost, we do not negotiate customer form BAAs. However, we are open to negotiating our standard BAA for a fee.

Can I get a copy of your standard BAA to review?

You can view a copy of our standard BAA here: Business Associate Agreement (Preview Version Only)

What security measures does SurveyMonkey Employ?

As required by HIPAA, we implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we receive, maintain, and transmit on behalf of covered entities with respect to their HIPAA-enabled accounts. These safeguards include measures required by the Security Rule, such as:

  • Regular risk assessments of systems to ensure that safeguards remain relevant and effective
  • Assigned security team which is responsible for maintaining compliance with HIPAA’s security requirements
  • Screening, authorization, and training of SurveyMonkey staff who come into contact with customer PHI
  • Data backup plans
  • Disaster recovery plans
  • Systems regularly monitored, updated, and patched
  • Incident response plan that includes reporting of security incidents to affected covered entities
  • All communications with SurveyMonkey servers encrypted with SSL

For more information, see our Security Statement.

What additional features do HIPAA-enabled accounts offer?

HIPAA accounts offer some additional features that are required by HIPAA, as well as some additional features that assist covered entities to comply with their own HIPAA obligations. These include:

  • Security reminders: we remind end users of their HIPAA obligations with in-product messages that appear whenever they perform certain sensitive operations on PHI (such as attempting to share PHI with third parties).
  • Automatic logoff: we time out user sessions after 30 minutes of inactivity.
  • Logging: we provide enhanced logging of account access activity and modifications to survey data.
  • BAA: view a copy of your BAA through your online account interface.

What logging do you provide with my account? How do I access my account logs?

We log a variety of events relating to HIPAA-enabled accounts by timestamp, identity (IP Address and/or account username), and event type. Event types that we log include:

  • Account login successes and failures
  • Account manual logouts
  • Account password reset requests
  • Account username requests
  • Collector deletions, openings and closings
  • Survey response exports
  • Survey response sharing and unsharing
  • Survey response deletions
  • API application authorizations and deauthorizations
  • Transferring surveys to other accounts
  • Whether the user or a SurveyMonkey admin performed the event

At the moment, we do not have a way by which you can access these logs through your online account. You may request logs by contacting our customer support team.

Can a HIPAA-enabled PLATINUM account be reverted into a regular account? Can I downgrade my PLATINUM plan?

No. Once you convert to a HIPAA-enabled PLATINUM account, it cannot be reverted back to a regular account, and must also be maintained under a PLATINUM plan. If you want a regular account or a lower-tier plan, you must open a new account. Note that you can transfer surveys from your HIPAA-enabled account to a regular account, but you must be very careful not to transfer any surveys that contain PHI (we do not permit users to store PHI in regular accounts, and regular accounts are not covered by a BAA).

What happens if I decide not to renew my HIPAA-enabled account?

If you decide you no longer need to use SurveyMonkey and do not renew your HIPAA-enabled account, your account will be placed into a suspended state. While suspended, SurveyMonkey will preserve all data contained the account and continue to treat it in accordance with the BAA. However, you will not be able to access your survey data or account directly (except for limited billing and account administration functions).

SurveyMonkey will retain a suspended account for the period of time stated in the BAA in order to provide you with an opportunity to unsuspend your account by renewing it. At the end of the suspension period, SurveyMonkey will close your account and delete all data in it.

While an account is suspended, you may also request SurveyMonkey to export a copy of all your survey data, or request SurveyMonkey to close your account immediately. Contact our customer support team to do so.

What happens if I close my HIPAA-enabled account or terminate my BAA?

If you close your HIPAA-enabled account or Enterprise group, the BAA will terminate.

If you terminate the BAA, then, subject to the terms of the BAA, your HIPAA-enabled account or Enterprise group will be closed. Our standard BAA is written in a way as to always provide you with an opportunity to save a copy of your survey data before your account gets closed.

Does HIPAA apply to me?

If you are not a “covered entity” (as defined by HIPAA), or are not using SurveyMonkey to collect or store PHI (generally any information about the health status, provision of health care, or payment for health care that can be linked to a specific individual, such as an individual’s name and/or contact details combined with information about health care that the individual received), then HIPAA likely does not apply to your use of SurveyMonkey.

If you have a PLATINUM plan or Enterprise subcription, you may HIPAA-enable your account by entering into a business associate agreement (BAA) with SurveyMonkey.